Hello,
usefull HTTP blacklists to prevent forum spam are (in order of efficiency):

Stop Forum Spam

BotScout

Akismet

The problem with HTTP blacklists is that every HTTP blacklist uses an own different API. There is no standard like it is for (most of) DNS blacklists.

For me one bad point for some phpBB integrations in past is that MOD authors just have used a third-party class or something like this. They used the phpBB integration like a bridge to the third-party class.
But the APIs are very easy and it's possible to make a integration only with phpBB default code and coding.

Project Honey Pot aka http:BL is a IP-RBL DNS blacklist which is using non-standard DNS blacklist requests with a own API. So it's also a candidate for a HTTP blacklist plug-in system.

phpBB3 Olympus and blacklists history:

Dec 2007 - Olympus has a poor IP-RBL DNS blacklist integration by default - a Domain-RBL DNS blacklist integration is included but remarked and not finished

Jun 2012 - phpBB devs are saying on Area51 that they are thinking about the integration of HTTP blacklists to the core

I think it's time to add it to the core!

Please don't integrate it just for something like a quarantine. Use it to block (or to prevent) spam(, too).
Do you really want that your moderators have to check hundreds/thousands of spam guest postings or spam user registrations per day?
Think about adding something like a weight system. So if you want spam will be blocked if it is found on at least two blacklists.
Add a feature to recheck posts and user accounts for spam. Add it to the related ACP and MCP pages. Also integrate this check into Who Is Online for analysis.

I've tried blacklists besides Akismet (including Martins advanced block MOD) and they haven't performed well at all. While Akismet doesn't catch all spam (and that would improve if every single phpBB board were reporting spam), the other two have a *lot* of false positives. From what I've seen, they see an IP that has previously spammed in the past, or a Russian ISP (yes, I had an issue with a genuine ISP being blocked), and they mark it as spam.

I think I am a bit confused at the different talks about integration here. Some are talking about registration and I think some are talking about checking posts. Akismet is designed for checking posts to see if they are spam, Stop Forum Spam, and other blacklists are for users (I would argue that checking posts for spam is far more valuable than users, because posts are where people do not want spam, and registration data can easily be sent as random numbers/letters, something that would not be possible to block).

As for whether or not this should be a plugin (official or not), built in, or have an interface for anti-spam built in, I do think that having an interface would be the nicest option for extend-ability and friendliness, but I think that the best option would be either a plugin or to have it built in. I would do it that way primarily because I think building an interface and administrative control system for it seems like significant work and that effort would be better put towards finishing something else, like plugins. I don't see advantages to an interface over the plugins system being great enough to offset the time spent writing it.

If it were just an official plugin that was included, and if others wanted to make other systems work that work the same way as Akismet, they would have a template (the Akismet plugin) ready to go, so it should be fairly easy for authors to make it work with other similar services.

naderman wrote:Rather than having hard coded integration with akismet, can we maybe have a generic plugin interface for these kinds of antispam tools? How much work would it be to change the pull request to be a generic antispam plugin feature with akismet as a default plugin shipped with phpBB?

naderman wrote:Rather than having hard coded integration with akismet, can we maybe have a generic plugin interface for these kinds of antispam tools? How much work would it be to change the pull request to be a generic antispam plugin feature with akismet as a default plugin shipped with phpBB?

KnocksX wrote:Doesn't Akismet require a credit card before giving you the API key? If so, it might run into problems with the GPL.

As long as we're only creating an interface to a service, how would their license affect phpBB at all? Are ReCAPTCHA and all of the other anti-spam services supported by CAPTCHA plug-ins GPL?

As for the overall concept, I think a multi-layered approach is best (all optional, of course):

CAPTCHAs for registering (and Guest posting). phpBB already has this.

Configurable blacklist support for those who want it. phpBB currently supports two non-configurable blacklists: spamcop.net and http://www.spamhaus.org at registration and posting. That should be configurable using plug-ins (ideally to allow more than one with some logic included for weighting) to support StopForumSpam and other services.

Post content scanning via plug-ins/extensions that could support Akismet and other services. Maybe phpBB could even ship a simple one, blocking posts with too many URLs and/or censored words (possibly in a specified group, like Newly Registered Users). That would allow blocking posts instead of having posts go into moderation. Maybe there could even be a Does not need post scanning permission for some groups.

The latter is really the only new item, although making the second item configurable would require some work.